Update

(EPM) elevation rules now include a new file elevation type of Deny

Week of May 26, 2025 (Service release 2505)

Microsoft Intune Suite
Endpoint Privilege Management rules explicitly deny elevation
Endpoint Privilege Management (EPM) elevation rules now include a new file elevation type of Deny. An EPM elevation rule set to Deny blocks the specified file from running in an elevated context. While we recommend using file elevation rules to allow users to elevate specific files, a deny rule can help you ensure that certain files like known and potentially malicious software can't be run in an elevated context.

Deny rules support the same configuration options as other elevation types except for child processes, which are not used.

For more information about EPM, which is available as an Intune Suite add-on-capability, see Endpoint Privilege Management overview.

App management
Newly available protected apps for Intune
The following protected apps are now available for Microsoft Intune:

  • Windows App by Microsoft Corporation (Android)
  • Microsoft Clipchamp by Microsoft Corporation (iOS)
  • 4CEE Connect by 4CEE Development
  • Mobile Helix Link for Intune by Mobile Helix

Device configuration
Manage DFCI profiles for Windows devices
We've added support to use DFCI profiles to manage UEFI (BIOS) settings for NEC devices that run Windows 10 or Windows 11. Not all NEC devices running Windows are enabled for DFCI. Contact your device vendor or device manufacturer for eligible devices.

You can manage DFCI profiles from within the Microsoft Intune admin center by going to Devices>Manage devices>Configuration>Create>New policy >Windows 10 and later for platform >Templates > Device Firmware Configuration Interface for profile type.

Device enrollment
Custom naming template for AOSP devices
Use a custom template for naming AOSP user-affiliated and userless devices when they enroll with Intune. The template is available to configure in the enrollment profile. It can contain a combination of free text and predefined variables, such as device serial number, device type, and for user-affiliated devices, the owner's username.

Change to role-based access control for device enrollment limits
We updated role-based access control (RBAC) for device limits. If you're currently assigned the policy and profile manager role, or the device configurations permissions that are built-in to the role, you now have read-only access to device enrollment limit policies. To create and edit these policies, you must be an Intune Administrator.

Device management
Cross Platform Device Inventory
Android, iOS and Mac devices are added to device inventory. Intune now collects a default set of inventory data including 74 Apple properties and 32 Android properties.

Enhanced security during unattended Remote Help sessions on Android devices
During an unattended Remote Help sessions on Android devices, we've enhanced the security and user awareness during remote assistance by blocking the screen of the device, and notifying users if they interact with it.

This feature is for Zebra and Samsung devices that enrolled as Android Enterprise corporate owned dedicated devices.

Device security
Detect rooted corporate-owned Android Enterprise devices
Configure compliance policies to detect if a corporate-owned Android Enterprise device is rooted. If Microsoft Intune detects that a device is rooted, you can have it marked as noncompliant. This feature is now available for devices enrolled as fully managed, dedicated, or corporate-owned with a work profile. For more information, see Device compliance settings for Android Enterprise in Intune.
Applies to:

  • Android

New endpoint security profile for configuring Endpoint detection and response and Antivirus exclusion settings on Linux devices
As part of the Intune scenario for Microsoft Defender for Endpoint security settings management, you can use a new Endpoint detection and response profile for Linux named Microsoft Defender Global Exclusions (AV+EDR) that you can now use to manage Linux device exclusions for both Microsoft Defender Endpoint detection and response (EDR) and Antivirus (AV).

This profile supports settings related to global exclusion settings as detailed in Configure and validate exclusions on Linux in the Microsoft Defender documentation. These exclusion configurations can apply to both the antivirus and EDR engines on the Linux client to stop associated real time protection EDR alerts for excluded items. Exclusions can be defined by the file path, folder, or process explicitly defined by the admin in the policy.

The new Intune profile:

  • Is available in addition to the existing endpoint security Antivirus policy for Microsoft Defender Antivirus.
  • Is supported for devices you manage through the Microsoft Defender for Endpoint security settings management scenario.
  • Is not supported for Linux devices managed directly by Intune.
    For details about the available Defender settings, see Configure security settings in Microsoft Defender for Endpoint on Linux - Microsoft Defender for Endpoint in the Defender for Endpoint documentation.

Applies to:

  • Linux

Tenant administration
Data collection from SimInfo entity on Windows devices
You can now collect data from the SimInfo entity on Windows devices with enhanced device inventory. For more information, see Intune Data Platform. Applies to:

  • Windows
Receive Important Update Messages Stay tuned for upcoming Microsoft Intune updates

More from the Cloud Services section

Was the content helpful to you?

Advertisement Advertise here?
Udemy IT certification ad